WordPress Plugin Vulnerabilities

User Registration & Membership < 5.1.3 - Authentication Bypass

Description

The plugin is vulnerable to authentication bypass due to incorrect authentication in the 'register_member' function. This makes it possible for unauthenticated attackers to log in a newly registered user on the site who has the 'urm_user_just_created' user meta set.

Affects Plugins

Plugin icon
user-registration
Fixed in 5.1.3

References

CVE
CVE-2026-1779
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/d99bc021-ba9e-4294-8dd2-c25bc8007d05

Miscellaneous

Original Researcher
0xd4rk5id3
Verified
No
WPVDB ID
ed4c7749-b2cb-4e3b-9285-4774135cdb65

Timeline

Publicly Published
2026-02-25 (about 2 months ago)
Added
2026-02-25 (about 2 months ago)
Last Updated
2026-02-25 (about 2 months ago)

Other

Published
Title
Published
2014-08-01
Title
Simple Download Button Shortcode 1.0 - Remote File Disclosure
Published
2014-08-01
Title
Myriad 2.0 - dl-skin.php _mysite_download_skin Parameter Absolute Path Traversal Remote File Download
Published
2014-08-01
Title
WordPress <= 2.8.5 - Unrestricted File Upload Arbitrary PHP Code Execution
Published
2014-08-01
Title
RokBox <= 2.13 - rokbox.php Direct Request Path Disclosure
Published
2023-05-30
Title
Wordapp <= 1.5.0 - Authorization Bypass via Insufficiently Unique Cryptographic Signature